About 2 week ago, I discovered an open url redirection vulnerability in Facebook that allowed me to have a facebook.com link redirect to any website without restrictions & users confirmation
Description:
[#] Title : Facebook Open URL Redirection
[#] Status : fixed
[#] Severity : High
[#] Works on : Any browser with any version
[#] Homepage : www.facebook.com
[#] Author : Jitendra Jaiswal ( India )
The flaw exists in the way facebook handled the u parameter. Visiting the link below would always redirect to the facebook homepage:
http://www.facebook.com/a.php?u=http%3A%2F%2Fjeet.com
But I noticed that changing the url to a another url , for example:
http://www.facebook.com/a.php?u=http%3A%2F%2Fyahoo.com
in that the target destination yahoo.com and it will redirect successfully:
http://www.facebook.com/a.php?u=http%3A%2F%2Fyahoo.com
Facebook have the ability to filter and ban particular websites from redirecting using their automatic spam and malware analysis. But not all malware/spam can be caught by Facebook, and by the time a link is banned, an attacker would have already moved on to another link.
Video Proof of Concept:
Facebook responded after 12 days my report, and they were quick to patch the flaw in about a week and a half. The payout for this bug is $1,000.
Comments
Post a Comment